Sun Pushes Emergency Java Patch
Trailrunner7 writes "In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks. The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped Web site. The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running 'javaws.exe' without validating command-line parameters. Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin. The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google's Tavis Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response."
Why is it that corporate types never understand that if the white hats have found it, the black hats have too...and are exploiting it.
I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
about-face
drive-by
in-the-wild
out-of-cycle
booby-trapped
Java-Plugin
command-line
about-face
full-disclosure
there is no company or organization called "sun" ... there is only oracle now.
java patch:
http://www.thinkgeek.com/stuff/41/caffederm.shtml
More music, fewer hits
I think White Hats need to not only use that threat, but follow up on it, more regularly so that serious flaws like this get the attention they deserve.
I recommend we coin a new term for this elite breed of white hat. White hats that are more aggressive. Not afraid to be an asshole when required. I would like to propose: "ass hats"
These posts express my own personal views, not those of my employer
Just disable jnlp file association, we have a number of third party websites that require a specific version of java to function (I'm looking at you ADP etime) and so we can't just upgrade to the newest version. The workaround is to remove the JNLP file association from the registry which leads IE to prompt to download the file instead of automatically running it.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
It's not that corporations don't "get the value" of White Hat reports. They love them!
But these corporations are not giant machines running on magic. They are made up of people who have other priorities, other dead lines and will not get paid anything for going through the mountains of work that must be done to issue an emergency fix. Absolutely, they should be more responsive. But it's not like they're sitting on the beach smokin a bowl. These corporations are busting their ass to find enough money to keep all their people employed. Issuing an embarrassing, costly and difficult fix is a lot like working an extra job to pay an unexpected hospital bill. How much enthusiasm would have in that situation?
Due to development constraints, I run JDK 5 Update 22 on my system.
As of Nov 3rd 2009, Update 22 is the last public release of version 5.
I used the exploit demo link to see if it is also vulnerable, and sure enough it attempted to launch a program.
So now the still-quite-large-installed-base of 1.5.0_x users are screwed!!!
Fortunately though, my AVG quickly blocked it, reporting it as "Exploit JSE WebStart (type 1067)"
They will once again propose me to install a toolbar. WTF, just do your update and stop trying to install shit I don't want after I already said "NO" to the same queation 10 freaking times before.
"Write once, exploit everywhere"
Well, someone had to say it.